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GENERATION OF REPEATABLE CRYPTOGRAPHIC 
KEY BASED ON VARYING PARAMETERS 

This application claims the benefit of U.S. Provisional Application Serial No. 
60/128,413, filed April 8, 1999 and U.S. Provisional Application Serial No. 60/147,880 
filed August 9, 1999, both of which are incorporated herein by reference. 



5 Field of the Invention 

The present invention relates generally to computer security. More particularly, 
the present invention relates to the generation and use of cryptographic keys for computer 
security applications. 



10 Background of the Invention 

As computer use becomes more widespread, the problem of computer system 
security also becomes increasingly critical. The volume of information stored in 
computer systems is grov^ng at a large rate. Further, the accessibility of such 
information systems is increasing due to the interconnection of computer systems through 

1 5 networks such as the Internet. A major problem facing computer ovmers is how to 

protect computer systems, and the information they contain, from adversaries wishing to 
gain unauthorized access to stored information. 

One type of computer system security is referred to as authentication. 
Authentication refers to confirming the identity of a user prior to allowing access to a 

20 computer system. Most authentication schemes are based on the user's knowledge of a 
secret, called a password. A user must have knowledge of a secret password in order to 
gain access to the computer system. 

Another type of computer system security is referred to as encryption. Some, or 
all, of the information on the computer system may be encrypted such that the 

25 information is rendered unreadable or unusable until it is decrypted. Like authentication, 
decryption also relies on the knowledge of a secret, called a key, which is used to decrypt 
the information. Thus, even though a person may have access to information, that 
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infomation may be useless to someone who does not possess the appropriate decryption 
key. 

These two security techniques of authentication and encryption are related in 
many ways. For example, a secret known by a user may serve as both a password and a 
5 decryption key. Further, a computer system may employ both types of security 
techniques. 

With respect to authentication, textual passwords have been, and remain, the 
prunary means of authenticating users. However, passwords have been shown to be a 
relatively weak mechanism for authentication. Studies have shown that users tend to 

1 0 choose passwords that can be easily guessed by an exhaustive search of a relatively small 
subset of all possible passwords. For example, in a study of 14,000 computer system 
passwords, it was found that almost 24% of the passwords could be found in a 
"dictionary" of only 3x10* words. Considering the high speed at which a computer 
could generate and test 3x10* words, passwords are considered to be a weak form of 

15 computer security. 

One known technique for strengthening passwords is to require not only that the 
correct password be typed, but also that the user's keystroke features (e.g. duration of 
keystrokes and latency between keystrokes) match a predetermined stored model of 
expected keystroke features. This technique is effective against so-called online attacks 

20 in which an adversary is attempting to gain access to a computer system through the 

computer's authentication system. However, this technique is not effective against a so- 
called off-line attack, in which an adversary gains physical access to the computer's data, 
for example by taking physical possession of a laptop computer or by otherwise 
circumventing the computer's authentication system. Once an adversary has physical 

25 access to computer information, the above described keystroke feature technique is 
uieffective. Further, if an adversary gets physical access to a computer which allows 
access to the stored keystroke feature models, the models may leak sensitive information 
which would then make it easier for the adversary to determine actual user passwords. 
Other techniques exist which do not require the storage of such models in 
30 memory. For example, U.S. patent no. 5,680,460 describes a technique in which a user's 
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fingerprint characteristics are measured and various filters are applied to the 
measurements to generate a key which can then be used to authenticate the user on a 
computer system. Another example is G.I. Davida, Y. Frankel, and BJ. Matt^ On 
Enabling Secure Applications Through Ojf-Line Biometric Identification, Proceedings of 
5 the 1998 IEEE Symposium on Security and Privacy, pp. 148-157, May 1998, in which 
error correcting parameters are used to decode biometric (e.g. iris scan) readings into a 
canonical form for a particular user. This canonical form may then be used to generate a 
key for authentication purposes. However, both of these techniques also suffer from the 
above described deficiency in that any compromise of the underlying system data (either 
1 0 the filters or the error correcting parameters) will leak sensitive information which, in 
certain applications, would allow an adversary to more easily determine the user's 
authentication key. 

Summary of the Invention 

1 5 The present invention provides for the generation of a repeatable cryptographic 

key based on potentially varying parameters which are received, for example, during a 
computer resource access attempt. The key is repeatable in that the same key may be 
generated using different received parameters. In accordance with the invention, so- 
called cryptographic shares are retrieved firom memory locations identified as a function 

20 of the parameters. The key may be determined fi*om knowledge of a sufficient number of 
cryptographic shares. 

In accordance with one embodiment, values of the received parameters are used 
to generate indices into a so-called share table which stores valid and invalid 
cryptographic shares. Valid cryptographic shares (i.e., those which may be used to 

25 generate the key) are stored in memory locations whose indices are expected to be 
generated during legitimate access attempts. Invalid cryptographic shares (i.e., those 
which may not be used to generate the key) are stored in memory locations whose indices 
are not expected to be identified during legitimate access attempts. Thus, the share table 
may be configured to take into account expected variations in the received parameters. In 

30 accordance with one technique, valid shares may be periodically replaced with invalid 
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shares (and vice versa) based on a history of access attempts and a change in expected 
parameter values. 

In various embodiments, the stored shares may be encrypted in various ways. In 
one embodiment, the shares are encrypted using a value computed as a function of 
5 expected parameter values. In this embodiment, one encrypted share is stored and 

associated v^ith each parameter. When a parameter is received during an access attempt, 
the associated stored encrypted share is retrieved from memory and an attempt to decrypt 
the share is made using a value computed as a function of the parameter value. Only if 
the computed value is the same as the value used to encrypt the share (i.e., the expected 

10 value) will a valid share be obtained. Otherwise, an invalid share will be obtained. In 
various embodiments, the cryptographic shares may be chosen so as to allow generation 
of the key even if some nixmber of invalid shares are generated, as long as a sufficient 
number of valid shares are generated. This embodiment is particularly advantageous 
when the number of possible parameter values is very large. This embodiment is 

1 5 described in further detail below in accordance with an embodiment of the invention in 
which the contents of a database may be decrypted using parameters representing 
measured DNA information. 

Various secret sharing schemes may be used to generate the cryptographic shares. 
In accordance with one embodiment of the invention, a so-called polynomial secret 

20 sharing scheme is used. In this embodiment, the secret key is the point where the 

polynomial crosses the y axis and the cryptographic shares are points on the polynomial. 
Knowledge of a sufficient number of points on the polynomial (i.e., cryptographic 
shares), allows for the determination of the polynomial, and thus determination of the 
key. These polynomial points may be stored in a straightforward manner by storing (x,y) 

25 pair values in the share table. Alternatively, in order to save memory space (at the 

expense of an increase in computational complexity) compressed shares may be stored in 
the share table. 

In accordance with an advantageous embodiment of the invention, the inventive 
techniques are used to implement a keystroke feature authentication system in which 
30 users are authenticated based on a combination of an entered password and the manner in 
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which the password was typed. In accordance with this embodiment, a share table 
contains a row for each keystroke feature to be considered (e.g., duration of keypresses, 
latencies between keypresses). Upon receipt of a measured keystroke parameter, a 
function chooses one of two columns in the share table associated with the parameter 
5 row, depending on a comparison of the parameter with a predetermined threshold. A 
history of legitimate authentications is kept. When a measured keystroke parameter 
consistently results in the function choosing one of the two columns, the associated 
keystroke feature is considers a distinguishing feature, and the other of the two columns 
in the share table is updated to contain an invalid cryptographic share. Over time, the 

10 share table is updated such that only share table entries which are expected to be accessed 
during future legitimate access attempts contain valid cryptographic shares, while the 
share table entries which are not expected to be accessed during a legitimate access 
attempt contain invalid cryptographic shares. In this manner, an illegitimate access 
attempt will retrieve invalid cryptographic shares from the share table such that it will not 

15 be possible to generate the cryptographic key. In accordance with another aspect of this 
embodiment, the shares stored in the share table are encrypted using the password as the 
decryption key in order to add additional security. 

These and other advantages of the invention will be apparent to those of ordinary 
skill in the art by reference to the following detailed description and the accompanying 

20 drawings. 



Brief Description of the Drawings 

Fig. 1 shows an exemplary share table; 

Fig. 2 illustrates an exemplary polynomial which may be used in conjunction with 
25 a polynomial secret sharing scheme; 

Fig. 3 illustrates a share table which stores compressed cryptographic shares; 
Fig. 4 illustrates a share table which stores encrypted cryptographic shares; 
Fig. 5 illustrates a share table in accordance with a keystroke features 
authentication embodiment of the invention; and 
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Fig. 6 illustrates a history table in accordance with a keystroke features 
authentication embodiment of the invention. 

Detailed Description 

5 The present invention provides for the generation of a repeatable cryptographic 

key based on a set of potentially varying parameters. The cryptographic key is repeatable 
in that the same key is generated notwithstanding that the parameters, on which 
generation of the key is based, may vary from one generation of the key to the next. In 
an advantageous embodiment, the parameters represent measurements of some physical 

10 characteristics of either a person or a thing. For example, one class of physical 

characteristics is biometric characteristics of a person. As used herein, the term biometric 
characteristics includes any measurable biological, physiological, or biomechanical 
characteristics of a person. Such characteristics include, for example, fingerprint, iris, 
DNA, typing patterns, voice, blood, etc. Thus, for computer security applications of the 

1 5 present invention, any biometric characteristic, or combination of biometric 

characteristics, which could reasonably identify a particular person would be appropriate. 
Another class of physical characteristics are the characteristics of things (e.g. non- 
biological items). Such characteristics include, for example, chemical or molecular 
composition, etc. Although the following description describes the invention in terms of 

20 parameters representing measurements of physical characteristics, it is to be understood 
that the invention is not limited to any particular type of parameters, but instead applies to 
any type of varying parameters. 

Actual measurement techniques will vary depending on the embodiment of the 
invention, and the details of particular measurement techniques are not the subject of this 

25 invention. It is the use of the physical measurements, once obtained, to generate a 

repeatable cryptographic key for use in computer security appUcations that is the subject 
of this invention. Thus, we assume that the measurements have been made and that we 
are supplied with physical measurement parameters, represented here as parameters: 
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It is expected that the measurements of the same physical characteristics of the 
same entity may vary from one measurement to the next. This may be due to two factors. 
First, the measured physical characteristic itself may be dynamic. For example, if the 
measured physical characteristic were the biometric characteristics of voice (e.g. pitch, 
5 amplitude) during the speaking of some word or phrase, it is expected that an individual's 
voice characteristics will not be exactly the same during repeated vocalizations of the 
same word or phrase. As such, the measured characteristics represented as parameters 
(p^,(p2,'" <}>m will be different even though the same person speaks the same word or 
phrase. Second, the measured physical characteristic itself may be static, but the 

10 measurement of the physical characteristic may be imprecise or incomplete. For 

example, a person's fingerprint is static, but the results of different measurements of the 
same fingerprint may change slightly, due to imprecise measuring equipment, or because 
of an incomplete sample. 

One of the advantages of the present invention is its ability to generate a 

1 5 repeatable cryptographic key in view of varying measurements. As a result, the invention 
may be used for various computer security applications. For example, as will be 
described in further detail below, in one embodiment the inventive technique is used to 
authenticate computer system users based on particular keystroke features during entry of 
a password. A user must be authenticated even though his/her keystroke features will 

20 change slightly during multiple entries of the same password. The present invention will 
generate a repeatable key for a particular user if the keystroke feature measurements vary 
within certain tolerances, thus authenticating the user. 

In another embodiment (also discussed in further detail below) the invention may 
be used to protect information in a sensitive database containing private information. For 

25 example, consider a database which contains private information of convicted felons 
which is only meant to be used for legitimate criminal investigation purposes. For 
example, if a criminal is suspected of a crime the database record for only that particular 
criminal should be accessible by investigators. As such, each record in the database is 
encrypted and may only be decrypted using a key which is generated using DNA 

30 measurements of the associated person. This is to assure that prior to accessing 
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potentially private information about a person, the person's DNA has already been 
recovered from a crime scene, thus making the person a suspect in a crime. While a 
person's DNA is not dynamic, imprecise measurement techniques or imprecise samples 
may result in having incomplete DNA measurements. In accordance with the techniques 
5 of the present invention, a repeatable key to unlock the database records could be 
generated with this incomplete DNA information. 

In advantageous embodiments, the invention may be implemented using a 
programmable computer. Such a computer comprises a processor for executing computer 
program code stored in a memory which is accessible by the processor. As used herein, 

1 0 the term memory is used to refer to any computer readable medium, including without 
limitation, random access memory (RAM), read only memory (ROM), magnetic disk, 
optical disk, and holographic memory. In an advantageous embodiment, the computer 
program code is stored in a high speed memory, such as a RAM, which is connected to 
the computer processor. The computer program code required to implement the 

1 5 invention may be written in any well known computer language. Given the present 
description of the invention, one of ordinary skill in the art to which the invention 
pertains could readily write the program code necessary to implement the invention. The 
data structures described below (e.g. the share table) are also stored in memory. A user 
interacts with the computer using well known input/output devices and techniques (e.g. 

20 display screen, keyboard, mouse). Programmable computers of the type described herein 
are well known in the art and as such, further details are not required here. 

As described above, we will assume that measurements of some physical 
characteristic have been taken and we are thus in possession of parameters , ^2 ? * ' " ^m' 
representing those physical characteristics. In one embodiment of the invention, a 

25 function /is applied to the parameters ^1 , ^2 ? ' " ^m' order to generate a set of indices 

Wx^Wi^'^'W m s^^h /(^^i ? ^2 ' ' * ' ^/»' ) = {^1 ' ^2 5 • * * } • (The subscript m ' is used for 
the parameters (^z>) to indicate that there need not be the same number of parameters (<^) 
and indices (^) ). The indices y/\^y^2r>^"¥m ^^^^ access a set of stored values, 
where at least some of the stored values are so-called cryptographic shares of a secret 
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sharing scheme. Secret sharing schemes and cryptographic shares will be described in 
further detail below. At this point, let it suffice to say that possession of a sufficient 
number of valid cryptographic shares of a secret sharing scheme may be used to generate 
the repeatable key. In order to provide security, not all the stored values represent valid 
5 cryptographic shares. Instead, the particular values in the set of values which contain 
valid cryptographic shares are chosen to correspond to values of the indices y/^.y/^,-* y/,,, 
which are expected to be generated during a legitimate attempt to access the computer 
resource. The other values in the set (i.e., those for which corresponding indices are not 
expected to be generated during a legitimate access attempt) do not contain valid 
10 cryptographic shares. As will be described in further detail below, a designer of the 
security system will be able to identify the indices which would be expected to be 
generated during a legitimate access attempt. 

As an example, consider the physical measurement parameters , , ^3 , ^4 
corresponding to 4 measured keystroke features of a particular user during the typing of a 
1 5 password. Further, assume that the fianction / when applied to these parameters, 

produces a set of indices, each in the range of 1-10. For example, the indices in the range 
of 1-10 may be a result of normalizing the latency measurements. Also, assxxme that the 
user has engaged in a training session during which the user typed the password five 
times. After applying the function / to the parameters , ^2 5 ^3 ? generated during the 
20 training session, the indices y/ ^.xj/ -^,xj/ y/^ were generated as follows: 

password entry 1 : W\^Wi^Wz->W a^ 1^5,9,3 

password entry 2: y/ x^y^ i^W z'>W a ~ 256,9,3 

password entry 3 : W\^Wir>Wi^W a^ 2,5,8,4 

password entry 4: Wx^Wi^Wz^Wa - 3,5,8,3 
25 password entry 5: y/^^y/^^y/^^y/ ^ 

From this information, a security designer can conclude that expected values of the 
indices for this user are as follows: 
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TNDFY 


VALUES 


¥^ 


1,2,3 


^1 


5,6 


¥3 


7,8,9 


¥^ 


3,4 



The indices are used to select values from a data structure called a share table, so named 
because it contains cryptographic shares. An exemplary share table is shown in Fig. 1 as 
table 100. The indices select values from the share table as follows. The first index 
5 ^1 selects a value from the first row, the second index xf/^ selects a value from the second 
row, the third index xj/^ selects a value from the third row, and the fourth index \j/ ^ selects 
a value from the fourth row. The value of the particular index determines the column 
from which the value is selected. Thus, using conventional (row, column) notation, given 
an index i//^ a value is selected from the share table 100 at location (r, ) . 

10 Based on the expected values found during the training session, the locations in 

the share table 100 corresponding to the expected values for each of the indices will be 
set to contain valid cryptographic shares such that the repeatable key may be generated 
from those valid cryptographic shares. Those locations which do not correspond to the 
expected values for each of the indices v^U be set to contain values which are not valid 

1 5 cryptographic shares, called invaUd cryptographic shares, such that the repeatable key 
may not be generated from those values. In Fig. 1, locations in share table 100 which 
contain valid cryptographic shares are identified with a ^ and locations which contain 
invalid cryptographic shares are identified with a X , 

Secret sharing schemes will be described in fiirther detail below. For purposes of 

20 the present example, assume that four valid cryptographic shares are required to generate 
the repeatable key. Also assume that on a particular access attempt the user types his/her 
password and the function / generates the following indices based on measurements of 
the keystroke features: 
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access attempt 1 ; y/^^^/^.y/^.y/^^ 2,6,8,4 
Note that although this exact set of indices did not appear in any of the training sessions, 
each of the values is an expected value for the corresponding index. As such, the indices 
correspond to locations in the share table 100 which contain valid cryptographic shares. 
5 More particularly, index y/^ selects row 1, column 2 from the share table, index y/^ 

selects row 2, column 6 from the share table, index y/^ selects row 3, column 8 from the 
share table, and index y/^ selects row 4, column 4 from the share table. As can be seen 
from Fig. 1, each of these share table locations contains a valid cryptographic share as 
indicated by a / . As such, the correct repeatable key could be generated from the valid 

1 0 cryptographic shares and the user would be authenticated. 

Alternatively, assume that the user types his/her password and the function / 
generates the following indices based on measurements of the keystroke features: 

access attempt 2: y/^.y/^.y/^.W^ = 2,7,5,4 
Note here that the index values for y/^ , y/^ are not expected values for these indices and 

15 as such, the entries in the share table 100 corresponding to these indices (row 2, colunm 7 
and row 3, colunm 5) contain X indicating an invalid cryptographic share. As such, the 
correct repeatable key could not be generated from these cryptographic shares and the 
user would not be authenticated. Further details of an advantageous keystroke feature 
authentication embodiment of the invention will be given below, 

20 According to one embodiment of the invention, errors, or variations, in measured 

physical characteristics may also be tolerated by selecting share table locations which 
were not actually indexed by the set of indices generated by the fiinction / This error 
tolerance is advantageously accomplished by selecting share table locations which are in 
the vicinity of locations actually indexed by the indices generated by the function / For 

25 example, assume the share table 100 shown in Fig. 1 and an embodiment in which four 
indices yf\^Wi^Wi^ ¥a generated. If the repeatable key is not generated correctly by 
selecting shares from the share table locations indexed by W x-^yf a y "^^en the 

system may first attempt to vary the selection of a share table location associated with the 
first index y/^ by choosing, during two separate key generation attempts, the share table 



11 



p. L. Bohannon 11-20-1-2-2 

location on either side of the location indexed hy y/^. If the generation of the repeatable 
key is unsuccessftil, the system may then attempt to vary the selection of a share table 
location associated with the second index y/^ in a similar manner. These steps of 
varying the actual chosen share table location may continue for each of the indices. Of 
5 course, this process of varying the selection of share table locations may be extended in 
order to implement an appropriate security scheme for different embodiments of the 
invention. For example, diiring each key generation attempt, one or more share table 
locations may be chosen using this variation technique. Further, the amount of variation 
allov^ed for each location may vary. As described above, the variation consists of one 

10 table location on either side of the actual indexed location. However, the variation may 
also consist of more than one table location on either side of the actual indexed location. 
Additionally, depending on the implementation, it may be appropriate to vary the 
selection of a share table location for only certain of the indices. Of course, many other 
variation techniques may be used and are contemplated by this description. 

15 Advantageously the invalid cryptographic shares in a share table should be chosen 

such that they cannot be readily recognized as invalid by an adversary who compromises 
the computer system data and gains access to the share table. In this way, the adversary 
would not be able to gain any information from the share table. Further, the values in a 
share table may be encrypted for further security. For example, as will be described in 

20 further detail below, in the keystroke feature authentication embodiment, the values in the 
share table are encrypted with the user's actual password in order to provide additional 
security. 

Thus, as can be seen, the techniques in accordance with the present invention 
allow a repeatable key to be generated notwithstanding variations in measured physical 
25 characteristics. The amount of variation allowed is defined by the configuration of the 
share table as well as the error tolerance technique described above. 

As described above, a share table contains at least some valid cryptographic 
shares of a secret sharing scheme. There are various types of secret sharing schemes, and 
various ones of these schemes may be used to generate the cryptographic shares for 
30 storage in the share table. One type of secret sharing scheme is a polynomial secret 
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sharing scheme, the details of which are described in A. Shamir, How To Share A Secret, 
Communications of the ACM 22(1 1):612-613, November 1979, which is incorporated 
herein by reference. Since a detailed description of the scheme may be found in the 
reference, the scheme will only be described in general terms herein. A secret key k is 
5 chosen from the integers mod q, where q is prime. (For notational simphcity, unless 
otherwise stated, the calculations described below for generating the secret key k are 
performed mod q). Then, a threshold t is determined which represents how many 
cryptographic shares are required to generate the secret key k. This is a design choice 
that would be determined based on the particular embodiment of the invention. Next a 

10 degree M polynomial p is chosen at random such that p{0) = k . This polynomial is 

illustrated in Fig. 2. Note that k is illustrated as the point at which the polynomial crosses 
the y axis, that is, p{0) = k , As is well known, a polynomial of degree d can be 
determined from a knowledge of d+l points on that polynomial by using well known 
interpolation techniques. Thus, since is a degree M polynomial, knowledge of t points 

15 on that polynomial are sufficient to determine p. Further, once p is known, j?(0) can be 
determined, which is the secret key L Thus, by knowing t points on the polynomial, the 
secret key k can be determined as follows. 

Given points (Xpp(x^)),...,(x^,p(x^))onthe degree-(r-7) polynomial p over the 

integers mod q, the value k ^p(0) can be computed as 

20 

P(0) = i]c,^pix^) 



25 



where 

X 



. = n — 

\<j<t,j^i Xj 



Thus, in accordance with one embodiment of the invention, the valid cryptographic 
shares which are stored in the share table are points on the polynomial p. Any number of 
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polynomial points can be stored in the table, with an understanding that access to any / of 
those points will be enough to generate the secret key L 

Referring to Fig. 2, examples of points on the polynomial, and therefore valid 
cryptographic shares in the polynomial secret sharing scheme, would be 
5 (Xj , p(x^ )), , p(x2 )), (X3 , p(x^ )), (X4 /7(x4 )) . Thcsc valid cryptographic shares would be 
stored in share table locations which, as described above, correspond to expected index 
values which would be generated during a legitimate access attempt. Invalid 
cryptographic shares, to be stored in share table locations which do not correspond to 
expected index values, can be chosen from points off the polynomial p, for example 

10 points 201, 202, 203. 

Thus, in a straightforward approach, polynomial points are stored in the share 
table locations as pairs (x.,p(xj) . 

In an alternative to the straightforward approach, the cryptographic shares may be 
compressed in order to save memory space. In this approach, the inherent sequential 

1 5 ordering of the share table locations is utilized and points on the polynomial are chosen 
accordingly. Consider the share table 300 shown in Fig. 3. The share table 300 has 16 
locations. In the upper left comer of each location is shown the standard (row, column) 
index of the location. In the upper right comer of each location is shown the sequence 
number of the location. In a table having n columns, the standard (row.column) index 

20 can be converted to the sequence number by the equation: 

sequence # = {{row - 1) • + column . For example, in the table shown in Fig, 3 , 12 = 4, 
and table entry (3 ,2) has a sequence number of ((3 - 1) • 4) + 2 = 1 0 . In this embodiment, 
a valid cryptographic share is entered into a table location having sequence number by 
placing in that location the value p{s^) . Thus, only the y value of the polynomial point is 

25 stored in the table. The x value of the polynomial point is the sequence number of the 
share table location and can be derived from the standard (row.column) index. For 
example, in Fig. 3, location indexed by (3,2) would contain the value p{lQ) . It is noted 
that in this embodiment, prior to generating a vaUd cryptographic share for storage in the 
share table, the particular location within the share table in which the cryptographic share 
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will be stored must be known. The cryptographic share is decompressed using the stored 
y value in conjunction with the location in which it is stored. In this embodiment, the 
value stored in memory is considered a cryptographic share, and is stored in compressed 
format. 

We now describe an embodiment which stores encrypted shares in the share table. 
In accordance with this embodiment, the share table is stored as a plurality of rows 
(corresponding to the number of parameters/indices that may be generated) but a single 
column. A share table 400 in accordance with this embodiment of the invention is 
illustrated in Fig. 4. In a manner similar to that described above in conjunction with Fig. 
1, each row of the share table 400 (Fig. 4) corresponds to one of the indices y/ generated 
by applying the function /to a parameter ^ . Recall, as described above, 
f{A ,</>2>---<Pm') = {Wv¥2'--- y^,n} " ^hc shaTC table 400 stores cryptographic shares (e.g. 
points on the polynomial) which have been encrypted (by an encryption function E) using 
the expected values of the indices {WvWi,--- ¥m ] as the encryption key, such that a 
polynomial point (x, ,>;,) is encrypted as E^ _,,^^{x„y,). (The particular encryption 
fimction E would depend on the particular implementation.) As such, the stored 
encrypted shares may only be decrypted when an expected index value is generated. For 
example, the value stored in the share table 400 location corresponding to y/^ 
is (^1 ' 3^1 ) ' ^hlch Is a polynomial point (x, , ) which has been encrypted using 

the expected value of y/\ as the encryption key. The polynomial point {x^,y^) can only 
be decrypted using the expected value of y/^ as the decryption key. Of course, when an 
unexpected value for an index is used to decrypt an encrypted share, the decrypted share 
will not be a valid polynomial point. Thus, in accordance with this embodiment, the 
share table will accommodate any number of values which may be generated for an index 
y/ . Any index value which is not expected will not be able to decrypt the stored 
encrypted share. 

It is further noted that in accordance with the above described embodiment, a 
certain amount of parameter variation may be tolerated by varying the degree of the 
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polynomial from which points are chosen as shares. As described above in conjunction 
with Fig. 2, given a degree /-I polynomial, the knowledge of ? points on that polynomial 
are sufficient to determine p and thus the secret key k. So, in this embodiment, even 
though an attempt may be made to decrypt m cryptographic shares, the degree of 
5 polynomial p may be chosen such that p may be determined from less than m points on 
the polynomial. Thus, even if one (or more) of the indices ^ is generated incorrectly, 
and as a result the decryption of the corresponding share results in a point which is not on 
the polynomial, the correct polynomial may still be determinable using other generated 
points which are on the polynomial. In this case, in which we possess a sufficient 
1 0 number of valid points on the polynomial, together with some invalid points off the 
polynomial, well known techniques may be used to exclude the bad points in the 
determination of p. For example, various subsets of the generated points may be used in 
multiple attempts to determine p, until some pattern emerges which indicates the valid 
and invalid points. 

1 5 The above described embodiments were described assuming that the secret 

sharing scheme being used was a polynomial secret sharing scheme. However, other 
types of secret sharing schemes, some of which are described below, may also be used. 
In another embodiment of the invention, the polynomial scheme is modified such 

that the secret key k is defined as = g^^^^ mod r where r is prime, r-i is a multiple of q, 

20 and g has order q mod r, i.e., the set {g^ modr, g^ modr, modr,...} contains q 

elements. Rather than storing p{x^ ), pix^ as cryptographic shares in the share table, 

instead the values g^^""'"^ modrjg^^""'^ modr,. ..are stored as the cryptographic shares. 

Given pairs {x^yg^^""'^ modr),...,(x^,g^^'''^ modr), the value A: can be computed as 

25 k^Yl^g'^^'^ modr)^' modr 

where is as defined above. 
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In another embodiment of the invention, the secret key k is computed as the 
determinant of am mxm matrix over the integers mod q. The cryptographic shares are 
vectors that are used to compose the matrix. For ease of description, we describe this 
embodiment for a table with two columns. In this embodiment, random column vectors 

wl , each with m elements taken from the integers mod g, are selected such that 



i.e., k is the determinant of the matrix composed by these vectors. 
Another m random vectors are then computed so that 



10 

where u-^'^ = e. if b(i) = 0 and w f^'^ = if b{i) = 1 . Here, b(i) denotes the z-th bit of b, 

and denotes the unit vector with a 1 in position i and 0 in all other positions. Then, 

vectors m)^,...,^)^ are computed as w] ={w^ ^,..,wl)'Uj , The vector is the valid 
cryptographic share for the first column of the z-th row of the share table, and similarly 

1 5 wl is the valid cryptographic share for the second column of the z-th row of the share 
table. It then follows that for any 6 g {0,1}'" , \w^^'^ w^/^^ | - k. That is, with one valid 
cryptographic share from each row, the secret key k can be computed. 

An efficient algorithm to generate is as follows. An upper-triangular 

matrix C/' = is chosen that has 1 for each diagonal element and random 

20 integers mod q above the diagonal. Then, {u^ u^,^ ) = fl • f/' • 11"^ where 

n = ) is a permutation matrix (i.e., the identity matrix with columns permuted). 

We now describe a keystroke features authentication embodiment of the invention 
in which the inventive techniques are used to provide authentication in a computer 
system based on an entered password and keystroke features measured during entry of 

25 the password. In this embodiment, each user is associated with a password, identified as 
pwd. Further, when a user enters the pwd, a certain number, m, of features of the user's 
keystroke features are measured or derived. A measured feature is one that is actually 
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measured. For example^ if the pwd is 8 characters, in one illustrative embodiment there 
are 15 measured features, including 8 keypress durations and 7 latencies between 
keypresses. A derived feature is one which is not directly measured, but is derived from 
a measured feature (e.g., the ratio of the 7 and 8 keypress durations). Assume for 

5 purposes of this description that there are 15 features (m = 15). In this embodiment, a 
share table having m rows and 2 columns is used. Such a share table is shown in Fig. 5 
and will described in further detail below. 

Next a key k is chosen and cryptographic shares are generated using a secret 
sharing scheme as described above. Assume a polynomial secret sharing scheme is used 

1 0 and that the actual points of the polynomial are stored in the share table. Initially, 30 
valid cryptographic shares are generated and each location in the share table 500 is 
initialized to contain a valid cryptographic share. In order to add an additional measure 
of security, all values in share table 500 are encrypted using pwd as the encryption key, 
and may be decrypted using pwd as the decryption key. 

15 The function / which generates the indices y/. will now be described. For each 

measured keystroke feature parameter , there is an associated threshold which is 
used during the generation of the index y/^ for the particular measured feature. The 
function /is defined as follows: 



Thus, for each parameter representing a measured keystroke feature, the corresponding 
index generated by the function v^U be 0 if the parameter is less than the associated 
25 threshold and 1 if the parameter is greater than or equal to the associated threshold. The 
threshold may, for example, be a time value (e.g. 100ms). 

Each time a user enters a pwd each of the 15 keystroke features will be measured 
as a parameter . The function / will compare the parameter to the threshold 



f(</>l.^2^-"</>J={¥l.¥2^'-'Wn.}^ {0,1}' 



m 



20 



where 
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associated with that measurement and will generate y/^ as having a value of 0 or 1 
depending on which side of the threshold (p- falls on. The value of y/^ is then used as an 
index into the rth row of the table 500. The left column of row i is chosen if y/^ is 0, and 
the right column of row i is chosen if y/- is 1 . The value in the selected entry of the rth 
5 row is used as the cryptographic share from that particular row. After cryptographic 
shares have been selected from all 15 rows, they are used as described above to generate 
the key k. As described above, the cryptographic shares must first be decrypted using 
pwd "piiox to using them to generate the key k 

Since all share table 500 locations initially have valid cryptographic shares, initial 

10 access attempts which provide the correct pwd (to allow decryption of the share table 
500) will result in the generation of the correct key k. However, during subsequent 
access attempts, the access structure (i.e., the sets of entries in the share table which 
enable generation of the cryptographic key) defined by share table 500 is reduced based 
on the typing patterns of the user. This is accomplished through use of a history table, 

1 5 which stores the parameters , ? " * <t>m ^ given number of previous successful 

access attempts for each user. An illustrative history table 600 is shown in Fig. 6. As the 
history table 600 is populated with parameters, certain typing patterns of the associated 
user can be determined. Each of the measured parameters can be analyzed to determine 
if one of the parameters is associated with a distinguishing feature. A distinguishing 

20 feature is one which can be used to distinguish this user from other users. If a parameter 
<j>^ is consistently substantially more or less than the associated threshold , then the 
associated feature is considered a distinguishing feature, and the share table 500 may be 
rebuilt to make use of this distinguishing feature as follows. If a parameter (f>^ in the 
history table 600 is consistently on one side of the associated threshold , then it is 

25 assumed that this parameter (p^ will continue to be on the same one side of the associated 
threshold during subsequent legitimate access attempts by the same user. As such, the 
entry in the share table 500 corresponding to the other side of the threshold for this 
parameter will be changed to contain an invalid cryptographic share. Thus, the access 
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structure defined by share table 500 is thus reduced and in this way the share table 500 is 
modified to reflect the typing patterns of the authorized user. 

The history table can be analyzed and corresponding changes made to the share 
table 500 on a periodic basis. This may be done after every successful access by the user, 
5 after some number of successful accesses, or after some time period has elapsed. In an 
advantageous embodiment, when making changes to the share table 500, the key k 
remains the same, but the entire table is rebuilt using new cryptographic shares which are 
points on a new polynomial p. In this manner the share table, and therefore the access 
structure, dynamically adjust based on the user's typing patterns. Of course, depending 

1 0 on the typing patterns of the user, the share table may be modified to contain more, or 
less, valid cryptographic shares. 

Also, as described above, the degree of the polynomial p may be chosen to allow 
generation of the correct cryptographic key even though one (or more) of the selected 
share table locations contain an invalid cryptographic share. 

1 5 Thus, in order for the correct k to be generated, the user must enter the correct 

pwd (so that the cryptographic shares in the share table can be decrypted), and the pwd 
must be entered using keystroke features that will resuh in a sufficient number of valid 
cryptographic shares being chosen from the share table. A user could then be 
authenticated on the basis of whether the correct secret key k was generated. For 

20 example, this could be verified by decrypting a file with k and seeing if a correctly 
formatted file results, or by hashing k and comparing the result to a previously stored 
hash value. 

We have found that it is advantageous to fiirther implement an error tolerance 
scheme, as described above, in the keystroke features authentication embodiment. More 

25 particularly, we have found it advantageous to simultaneously vary the selection of two 
share table 500 locations in an attempt to generate the repeatable key. The variation 
consists of, for each of two share table rows, choosing the share fi*om the column other 
than the column actually indexed by the associated index generated by the fimction / 
Thus, if a repeatable key is not generated correctly based on the originally generated 

30 indices, then two rows of the share table 500 are chosen for variation. If the repeatable 
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key is still not generated correctly, then another two rows are chosen for variation. This 
continues until the correct repeatable key is generated or until all two-row combinations 
have been exhausted. 

The repeatable key k may also be used as an encryption key to encrypt the user's 
5 data in the computer. 

We now describe an embodiment of the invention in which the inventive 
techniques are used to protect a database which stores private information of individuals 
(e.g., convicted felons) which is only meant to be used for legitimate criminal 
investigation purposes. For example, if a criminal is suspected of a crime the database 

1 0 record for only that particular criminal should be accessible by investigators. As such, 
each record in the database is encrypted and may only be decrypted using a key which is 
generated using DNA measurements of the associated person. This is to assure that prior 
to accessing potentially private information about a person, the person's DNA has already 
been recovered from a crime scene, thus making the person a suspect in a crime. While a 

1 5 person's DNA is not dynamic, imprecise measurement techniques or imprecise samples 
may result in having incomplete DNA measurements. In accordance with the techniques 
of the present invention, a repeatable key to unlock the database records could be 
This embodiment of the invention utilizes the technique of storing shares 
generated with this incomplete DNA information.encrypted with expected index values, 

20 which was described above in conjunction with Fig. 4. When a record containing 
sensitive information is to be stored in the database, assume that certain DNA 
measurement of a person are known. Referring again to Fig, 4, assume that m DNA 
measurements have been taken. An appropriate polynomial p is chosen of degree 
where it is desired that knowledge of t points on the polynomial will allow access to the 

25 record, where t <m. The record is encrypted using a key k which is the point on the 

polynomial p which crosses the y axis, and the encrypted record is stored in the database. 
A share table which would allow the record to be decrypted in appropriate circumstances 
is generated as follows. Each DNA measurement is assigned a sequence number (1,2,... 
m) which correspond to parameters ^],^2^"'^m representing those measurements. A 

30 function/is chosen such that /(^i,^2^"*^?«')~{^i^^2'*"?^/«}- For example, the 
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function/may be a hash function. Using knowledge of the expected values of 
¥\^¥2^"'¥m together with knowledge of the polynomial p, points on the polynomial p 
are encrypted using expected index values as described above in conjunction with Fig. 4. 
Thereafter, the stored record of a person may only be decrypted by someone in 

5 possession of the DNA of that person. In order to decrypt the record, the appropriate 
sequence of DNA measurements are made in order to generate the parameters 
(^P<^2'""^„; representing those measurements. The function/is applied to the 
parameters (j>x,<t>2^'- in order to generate indices W\y¥2^'''¥m s^ch that 
f{^x.h.'-^m)^{Wx^Wi^'''Wn^' Each generated index xi/^ is used to decrypt the 

10 corresponding encrypted share ( -expected (^.^ J' J) stored in the fth row of the share table 
in order to generate the polynomial point {x^,y^ . The set of generated polynomial 
points may be used as described above in order to generate the cryptographic key k, 
which is the point at which the polynomial crosses the y axis. 

The foregoing Detailed Description is to be understood as being in every respect 

15 illustrative and exemplary, but not restrictive, and the scope of the invention disclosed 
herein is not to be determined from the Detailed Description, but rather from the claims 
as interpreted according to the fixU breadth permitted by the patent laws. It is to be 
understood that the embodiments shovm and described herein are only illustrative of the 
principles of the present invention and that various modifications may be implemented by 

20 those skilled in the art without departing from the scope and spirit of the invention. 
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We claim: 



1 LA method for generating a cryptographic key using at least one parameter 

2 comprising the steps of: 

3 retrieving at least one cryptographic share from a memory location identified as a 

4 function of said at least one parameter; and 

5 generating a cryptographic key based on said at least one cryptographic share. 

1 2. The method of claim 1 wherein said at least one retrieved cryptographic share 

2 is encrypted, said method further comprising the step of: 

3 decrypting said at least one cryptographic share. 

1 3 . The method of claim 2 wherein said step of decrypting comprises the step of: 

2 decrypting using a value computed as a function of said at least one parameter. 

1 4. The method of claim 1 wherein said at least one retrieved cryptographic share 

2 is compressed, said method further comprising the step of: 

3 decompressing said at least one cryptographic share. 

1 5. The method of claim 4 wherein said step of decompressing comprises the step 

2 of: 

3 decompressing said at least one cryptographic share using an index of said 

4 memory location. 

1 6. The method of claim 1 wherein said at least one parameter represents at least 

2 one measurement of a physical property. 

1 7. The method of claim 1 further comprising the step of: 

2 generating at least one index as a function of said at least one parameter; and 

3 using said index to identify said memory location. 
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1 8. The method of claim 7 further comprising the step of: 

2 retrieving a cryptographic share from a memory location in the vicinity of said 

3 memory location identified by said index. 

1 9. The method of claim 7 wherein said step of generating at least one index 

2 comprises the step of generating the same index for a set of parameter values. 

1 10. The method of claim 9 wherein said set of parameter values are within a 

2 predetermined range of values. 

1 11. A data structure comprising: 

2 a plurality of storage locations; 

3 a first subset of said plurality of storage locations containing valid cryptographic 

4 shares; and 

5 a second subset of said plurality of storage locations containing invalid 

6 cryptographic shares. 

1 1 2. The data structure of claim 1 1 wherein said first subset of storage 

2 locations correspond to storage locations which are expected to be accessed during a 

3 legitimate computer resource access attempt. 

1 13. The data structure of claim 1 1 wherein said second subset of storage location 

2 correspond to storage locations which are expected to be accessed during an illegitimate 

3 computer resource access attempt. 

1 14. The data structure of claim 1 1 wherein at least some of said cryptographic 

2 shares are encrypted. 
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1 15. The data structure of claim 14 wherein said encrypted cryptographic shares 

2 are encrypted with a password. 

1 16. The data structure of claim 1 1 wherein at least some of said cryptographic 

2 shares are compressed. 

1 17. The data structure of claim 1 1 wherein said cryptographic shares are 

2 cryptographic shares of a polynomial secret sharing scheme. 

1 18. The data structure of claim 1 1 wherein said cryptographic shares are 

2 cryptographic shares of a vector space secret sharing scheme. 

1 1 9. A method for maintaining a data structure which has valid cryptographic 

2 shares stored in a plurality of locations, said method comprising the step of: 

3 periodically changing the number of locations that contain valid cryptographic 

4 shares. 

1 20. The method of claim 19 wherein said step of changing the number of 

2 locations that contain valid cryptographic shares comprises the step of: 

3 storing invalid cryptographic shares in at least some locations which previously 

4 contained valid cryptographic shares. 

1 21 . The method of claim 20 further comprising the step of: 

2 storing said invalid cryptographic shares in locations which are not expected to be 

3 accessed in connection with an authorized computer resource access attempt. 

1 22. The method of claim 19 wherein said step of changing the number of 

2 locations that contain valid cryptographic shares comprises the step of: 

3 storing valid cryptographic shares in at least some locations which previously 

4 contained invalid cryptographic shares. 
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1 23 . The method of claim 22 fiirther comprising the step of: 

2 storing said valid cryptographic shares in locations which are expected to be 

3 accessed in connection with an authorized computer resource access attempt. 

1 24. A method for generating a cryptographic key comprising the steps of: 

2 measuring a plurality of keystroke features during entry of a password; 

3 retrieving from a data structure a plurality of cryptographic shares as a fimction of 

4 said plurality of keystroke features; and 

5 generating a cryptographic key using said cryptographic shares. 

1 25. The method of claim 24 wherein said cryptographic shares represent points 

2 on a polynomial. 

1 26. The method of claim 24 wherein said cryptographic shares represent vectors. 

1 27. The method of claim 24 wherein said cryptographic shares are compressed. 

1 28. The method of claim 27 wherein said cryptographic shares comprise y values 

2 of points on a polynomial and the corresponding x values are derivable from a data 

3 structure location. 

1 29. The method of claim 24 further comprising the step of: 

2 generating a plurality of indices as a function of said keystroke features; and 

3 using said plurality of indices to identify locations within said data structure from 

4 which to retrieve said cryptographic shares. 

1 30. The method of claim 29 wherein said step of generating a plurality of indices 

2 as a function of said keystroke features comprises the step of: 
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3 for each of said keystroke features, generating one of two indices as a function of 

4 a threshold value. 

1 31. The method of claim 29 wherein said step of generating a plurality of indices 

2 as a function of said keystroke features comprises the step of: 

3 for each of said keystroke features, generating one of a plurality of indices as a 

4 function of a plurality of threshold values. 

1 32. The method of claim 24 wherein said cryptographic shares stored in said data 

2 structure are encrypted, said method further comprising the step of; 

3 decrypting said cryptographic shares using said password. 

1 33. The method of claim 24 further comprising the steps of: 

2 maintaining a history file containing information relating to prior successful key 

3 generation attempts; and 

4 based on said history file, storing invalid cryptographic shares in data structure 

5 locations which are not expected to be accessed during subsequent legitimate key 

6 generation attempts. 

1 34. A method for generating a cryptographic key using a plurality of parameters 

2 having a sequence and representing physical measurements, said method comprising the 

3 steps of: 

4 for each of said plurality of parameters: 

5 retrieving an encrypted cryptographic share from a memory 

6 location as a function of the sequence of said parameter; 

7 decrypting said encrypted cryptographic share with a function of 

8 said parameter; and 

9 generating a cryptographic key using said decrypted cryptographic shares. 
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1 35. The method of claim 34 wherein said physical measurements are 

2 measurements of DNA. 

1 36. The method of claim 34 wherein said function of said parameter used to 

2 decrypt said encrypted cryptographic share is a hash function. 

1 37. A data structure for use in generating a cryptographic key based on n 

2 parameters representing physical measurements, said data structure comprising: 

3 n storage locations each associated with a respective one of said n parameters, 

4 each particular storage location containing an encrypted cryptographic share which was 

5 encrypted using an expected value of a function of the parameter associated with said 

6 particular storage location. 

1 38. The data structure of claim 37 wherein said function is a hash function. 

1 39. The data structure of claim 37 wherein said cryptographic key may be 

2 generated using less than n cryptographic shares. 
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Abstract of the Disclosure 

A repeatable cryptographic key is generated based on varying parameters which 
represent physical measurements. Locations within a share table, which locations store 
valid and invalid cryptographic shares, are identified as a function of received varying 

5 parameters. The share table is configured such that locations which are expected to be 
identified by legitimate access attempts contain valid cryptographic shares, and locations 
which are not expected to be identified by legitimate access attempts contain invalid 
cryptographic shares. The share table configuration may be modified based on prior 
history of legitimate access attempts. In various embodiments, the stored shares may be 

10 encrypted or compressed. A keystroke feature authentication embodiment uses the 

inventive techniques to implement an authentication system which authenticates based on 
an entered password and the manner in which (e.g. keystroke dynamics) the keystroke is 
entered. Another embodiment uses the inventive techniques to protect sensitive database 
information which is accessible using DNA measurements. 
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IN THE UNITED STATES 
PATENT AND TRADEMARK OFFICE 

Declaration and Power of Attorney 



As a below named inventor, I hereby declare that: 

My residence, post office address and citizenship are as stated below next to my name. 

I hereby claim the benefit under Title 35, United States Code, 11 9(e) of any United 
States provisional applicatlon(s) identified below: 

Provisional application No. 60/128413, filed on April 8, 1999 
Provisional application No. 60/147880, filed on August 9, 1999. 

I believe 1 am an original, first and joint inventor of the subject matter which is claimed 
and for which a patent is sought on the invention entitled Generation Of Repeatable 
Cryptographic Key Based On Varying Parameters the specification of which is attached 
hereto. 

I hereby state that I have reviewed and understand the contents of the above identified 
specification, including the claims, as amended by an amendment, if any, specifically referred to 
in this oath or declaration. 

I acknowledge the duty to disclose all information known to me which is material to 
patentability as defined in Title 37, Code of Federal Regulations, 1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code, 119 of any 
foreign application{s) for patent or inventor's certificate listed below and have also identified 
below any foreign application for patent or inventor's certificate having a filing date before that of 
the application on which priority is claimed: 

None 

I hereby claim the benefit under Title 35, United States Code, 120 of any United States 
application(s) listed below and, insofar as the subject matter of each of the claims of this 
application is not disclosed in the prior United States application in the manner provided by the 
first paragraph of Title 35, United States Code, 112, I acknowledge the duty to disclose all 
information known to me to be material to patentability as defined in Title 37, Code of Federal 
Regulations, 1 .56 which became available between the filing date of the prior application and 
the national or PCT international filing date of this application: 

None 

I hereby declare that all statements made herein of my own knowledge are true and that 
ail statements made on information and belief are believed to be true; and further that these 
statements were made with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment, or both, under Section 1001 of Title 18 of the United States 
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Code and that such willful false statements may jeopardize the validity of the application or any 
patent issued thereon. 

I hereby appoint the following attorney(s) with full power of substitution and revocation, 
to prosecute said application, to make alterations and amendments therein, to receive the 
patent, and to transact all business in the Patent and Trademark Office connected therewith: 



Thomas J. Bean 
Lester H. Birnbaum 
Richard J, Botes 
Jeffery J. Brosemer 
Kenneth M. Brown 
Craig J. Cox 
Donald P. Dinella 
Guy H. Eriksen 
Martin I. Finston 
William S. Francos 
Barry H. Freedman 
Julio A. Garceran 
Jimmy Goo 
Anthony Grille 
Stephen M. Gurey 
John M. Harman 
Matthew J. Hodulik 
Michael B. Johannesen 
Mark A. Kurisko 
Irena Lager 
John B. Maclntyre 
Christopher N. Malvone 
Scott W. McLellan 
Martin G. Meder 
John C. Moran 
Michael A. Morra 
Gregory J. Murgia 
Claude R. Narcisse 
Joseph J. Opalach 
Neil R. Ormos 
Eugen E. Pacher 
Jack R. Penrod 
Gregory C. Ranieri 
Scott J. Rittman 
Ferdinand M. Romano 
Eugene J. Rosenthal 
Bruce S. Schneider 
Ronald D. Slusky 
David L. Smith 
Ozer M. N. Teitelbaum 
John P. Veschi 
David Volejnicek 
Charles L. Warren 
Jeffrey M. Weinick 
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(Reg, No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
(Reg. No. 
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(Reg. No. 
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25830) 
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36096) 
37590) 
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39961) 
41736) 
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26166) 
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36535) 
27336) 
38173) 
36164) 
35557) 
38944) 
39260) 
41170) 
34866) 
30776) 
34674) 
30782) 
28975) 
41209) 
38979) 
36229) 
35309) 
29964) 
31864) 
29695) 
39010) 
32752) 
36658) 
27949) 
26585) 
30592) 
36698) 
39058) 
29355) 
27407) 
36304) 
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Eli Weiss (Reg. No. 17765) 

Please address all correspondence to the Docket Administrator (Rm. 3C-512), Lucent 
Technologies Inc.. 600 Mountain Avenue, P. O. Box 636, Murray Hill, New Jersey 07974-0636. 
Telephone calls should be made to Jeffrey M Weinick by dialing 908-582-2188. 

Full name of 1st joint inventor: Philip L. Bohannon 

Inventor's signature ^^-yJ^ y.!^-^ Date U_h^c>^^'^ 

Residence: Piscataway, Middlesex County, New Jersey 

Citizenship: United States of America 

Post Office Address: 1 27 Orion Road 

Piscataway, New Jersey, 08854 



Full name of 2"'' inventoh B'mn Markus Jakobsson 




Inventor's signature K/y^^^^ Date ^ ' 

Residence: Hoboken, Hudson County, New Jersey 
Citizenship: Sweden 

Post Office Address: 1 203 Garden Street 

Hoboken, New Jersey, 07030 

Full name of 3^" inventor: 

Inventor's signaturk ^l^ /^^"^ ^'^^ ' ^ ^ 

Residence: New York, New York County, New York 
Citizenship: ST.LUCIA 

Post Office Address: 21 West 8th Street, Apt 3R 

New York City, New York, 1 001 1 
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Full name of 4*" inventor: Michael Kendrick Reiter 



Inventor's signature 




Residence: Raritan, Somerset County, New Jersey 

Citizenship: United States of America 

Post Office Address: 4 Bluebird Way 

Raritan, New Jersey, 08869 

Full name of 5*" inventor: Susanne Gudrun Wetzel 

Inventor's signature y,Ai,-.«w^ ia//±s^P Date _Td^J_jMD 

Residence: New Providence, Union County, New Jersey 

Citizenship: Fed. Rep. of Germany 

Post Office Address: 8 Gales Drive, Apt. #2 

New Providence, New Jersey, 07974 



